Security researchers have discovered a new Android Trojan that could compromise 421 million devices.
The Doctor Web team revealed information about this Trojan called Android.Spy.SpinOk in an advisory published on Monday.
SpinOk has several spyware capabilities such as file harvesting and clipboard content capture. The Trojan can be embedded within other apps, thereby spreading and infecting millions of devices.
Android Trojan Details: New Android Banking Trojan ‘Nexus’ Promoted as MaaS
SpinOk modules seem to offer users attractive features such as mini-games, tasks, and prize opportunities. However, once activated, the Trojan SDK establishes a connection to a command and control (C2) server and sends extensive technical data about the infected device.
Viakoo CEO Bud Bloomhead said, “Threat actors are deeply invading the Android gaming niche and focused on making money for players.”
“They may be interested in that niche because of things like observing the transfer of funds to bank accounts, or observing that players may have certain files that could be further abused. It could be focused.”
The data contains information from various sensors (gyroscopes, magnetometers, etc.) and allows the module to identify the emulator environment and adjust its behavior to avoid detection by security researchers. .
Additionally, the malware ignores device proxy settings, which can hide network connections during analysis. Instead, it receives a list of URLs from the server and loads them into a WebView to display an advertising banner.
Doctor Web’s experts have detected the presence of Trojan modules and their various iterations in several apps available on Google Play. Some still include malicious software development kits (SDKs), others are only included in specific versions, or have been removed from the platform entirely.
“For mobile app developers, SDKs are mostly black boxes. No one checks what else the SDK can do when it runs inside an app,” explains Krishna Vishnubhotla, vice president of product strategy at Zimperium.
“Malicious attackers also do not do this easily, as most of the code for suspicious activity is only downloaded when certain conditions are met on the device to avoid detection.”
Doctor Web said its analysis found the presence of the Trojan in 101 apps with a total of 421,290,300 downloads. The company confirmed that it notified Google of the threat.
